SSL only requires the server side certificate to enable full encryption
of the transported data in any direction. The client cert really only
adds value by providing Strong authentication / authorization the SSL
protocol stands on it's own without it.

It works like this. ( in a very simplified way )
1) Client connects and requests the ssl session
2) Client inspects provided credentials for validitity.
3) Allow / Deny based on trust that is explicit or granted.
4) A symetric key is negotiated and exchanged using the public/private
keypair of the server certificate.
5) all communication is done with the symetric keys.
6) some time later ( or after a qualifying event ) the keys are
renegotiated.

The major thing missing in this is trust. There is no trust that your
server is your server if the client cannot verify the issuing authority.
If you allow the SSL even though the client does not have the CA key
what is to stop the wiley hx0r d00d from creating a CA that looks and
feels like yours and then impersonating your server / replacing your
cert and gaining all access anyway?

If you would like more information please contact me directly at
jasonbetrusted.com.

Regards,
Jason.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]